Cyber-censorship in Norway

This note was originally written in January 2010 in response to a request from Dan Larsen of the OpenNet Initiative. Larsen was conducting a survey on the situation regarding Internet censorship and surveillance in Scandinavia. However, since I know of no other place that keeps tabs on this information, I've turned it into a working note that I update at irregular intervals as legislation and case law evolves. It addresses the situation in Norway to the best of my ability. Please use the comment field or send me a PM if you have corrections or additional information.

This working note addresses five different aspects of Internet surveillance and censorship in Norway. First, it discusses the legal framework in Norway for ongoing surveillance and censorship, including relevant case law. It then describes the voluntary filtering scheme that is currently operated in Norway (i.e. the controversial Child Sexual Abuse Anti Distribution Filter). There are also brief sections about what data is considered illegal in Norway. Finally, it describes what individuals and groups that act as initiators of Internet filtering in Norway.


Surveillance on Internet activity takes place on three levels in Norway: 1) By private operators; 2) By the police; and 3) by the military. The legal framework for each of these groups are discussed below.


In Norway “Lov om behandling av personopplysninger” (Personopplysningsloven – Personal Data Act, which is based on the EU privacy directive) imposes regulation on what personal data a private operator can obtain through surveillance and record. An IP address is considered personal data according to this law, and an IP address about criminal activity is sensitive personal data and can not be recorded by a private operator unless the operator has permission to do so from the the Norwegian Data Inspectorate (Datatilsynet).

However, the legal company Simonsen Advokatfirma DA has since 2006 had such a permission[5] to register the IP-addresses of users suspected of taking part in illegal file sharing. The IP address, however, does only indirectly identify the subscriber. It need to be linked with the traffic data record held by the subscriber's Internet Service Provider (ISP) to identify the subscriber.

The legal company has also drafted a letter threatening legal action if the user continues file sharing and requested that ISPs forward this letter to the relevant subscribers, which the ISPs also have declined to do. This strategy has not been pursued.

The legal company has also requested that ISPs hand over the subscriber information associated with these IP addresses to the legal company, which the ISPs also have declined to do.

The legal company has then – in a single case – gone to the court, and asked for a court order that a large regional ISP (Lyse tele) hand over subscriber information in a particular case where an individual had uploaded two copyrighted motion pictures to a file sharing network. The case was decided in Høyesterett (the supreme court) on 2010-06-18 (HR-2010-1060-A - Rt-2010-774), and the ISP was ordered to surrender the information to the legal company. This resulted in the person being identified. He confessed, and was subsequently convicted.

In May 2011, the Ministry of Culture proposed a change to the law. If passed, rights holders will no longer require permission from the Data Inspectorate to do this type of surveillance. This proposed change is as of January 2012 pending lawmakers' approval.

In 2011, the EU data retention directive was incorporated in Norwegian law, making it compulsory for ISPs to store all traffic data for six months. Usually, only law enforcement is supposed to have access to this data, but an exception was added to the law saying that traffic data identifying the subscriber associated with an IP address must be given to a private operator when the ISP is ordered to so by a court. At the same time, the telecommunications act was changed to remove the duty of confidentiality that telecommuncation operators (including ISPs) otherwise has with respect to traffic data.


The legal framework with regard to Internet surveillance by the police is the same as for all communication (i.e. the old legal framework for telephony wiretapping has been extended so that also applies to communication over the Internet).

The relevant law is “Lov om rettergangsmåten i straffesaker av 1981-05-22 nr. 25” (Straffe­prosessloven – Penal process law), in particular chapter 16a.[1] The legal terms for wiretapping/eavesdropping are “kommunikasjonskontroll” and “kommunikasjons­avlyt­ting”.

To intercept email or to “bug” an Internet line requires a court order and person under surveillance need to be suspected of being involved in serious crime (i.e. a crime that may be punished with 10 years in prison, espionage, etc.). Here is the most relevant legal text in the original language:

§ 216a. Retten kan ved kjennelse gi politiet tillatelse til å foreta kommunikasjonsavlytting når noen med skjellig grunn mistenkes for en handling eller forsøk på en handling
a) som etter loven kan medføre straff av fengsel i 10 år eller mer, eller
b) som rammes av straffeloven §§ 90, 91, 91 a, 94 jf. 90, 104 a første ledd annet punktum, eller 104 a annet ledd jf. første ledd annet punktum, eller av § 162 eller § 317, jf. § 162 eller av lov om kontroll med eksport av strategiske varer, tjenester og teknologi m.v. § 5.


Kommunikasjonsavlytting kan bestå i å avlytte samtaler eller annen kommunikasjon til og fra bestemte telefoner, datamaskiner eller andre anlegg for elektronisk kommunikasjon som den mistenkte besitter eller kan antas å ville bruke. Som kommunikasjonsavlytting regnes også identifisering av kommunikasjonsanlegg ved hjelp av teknisk utstyr, jf. § 216 b annet ledd bokstav c, som skjer ved å avlytte samtaler eller annen kommunikasjon.

Unofficial translation into English by me of the above text:

§ 216a. The court may by injunction give to the police permission to perform communication monitoring when someone is reasonably suspected of an act or for attempting an action
a) which by law can lead to punishment of imprisonment for 10 years or more, or
b) affected by the Penal Code § § 90, 91, 91 a, 94 cf. 90, 104 a, first part, second sentence, or 104 a second part, cf. the first part, second sentence, or of § 162 or § 317, see § 162 or by the law on control of exports of strategic goods, services and technology, etc. § 5.


Communication monitoring may consist of monitoring calls or other communications to and from certain phones, computers or other facilities for electronic communications that the suspect possesses or it can be assumed that the suspect wants to use. Identification of communication systems using technical equipment which is accomplished by monitoring calls or other communications shall also be considered as communication monitoring, see § 216 b, second part, letter c.


Military Internet surveillance in Norway is regulated by “Lov om Etterretningstjenesten av 1998-03-20 nr. 11”[2] (Law about the [military] intelligence service). The law gives Forsvarets Etterretningstjeneste (ETJ) a very broad mandate to collect information that “serves the interest of Norway in relation to foreign states, organisations and individuals” (§ 3). The service must however, refrain from collecting information about Norwegian persons or legal entities (§ 4), but there seems to be no restrictions as far as foreigners are concerned.

This broad mandate empowers ETJ to do electronic surveillance on communication originating from foreign individuals and organisations at the border, in a very similar manner to the much more explicit Swedish FRA-law (FRA in Sweden = ETJ in Norway). It is however unknown how ETJ uses its surveillance mandate.


Norway is not a member of the EU, but it is part of the EEA, which means that it is obliged to implement first pillar EU directives. Norway has therefore enacted legislation corresponding to the EU Directive on electronic commerce 2000/31/EC, which (among other things) says that ISPs shall not monitor their subscriber's use of the net. However, the general interpretation of the directive in Norway is that the ISP may be responsible for illegal content on its servers (e.g. child pornography, copyrighted material) if the provider, upon obtaining such knowledge or awareness, do not act expeditiously to remove or to disable access to the content. A not-intended(?) result of the directive is that some ISPs have user agreements that empowers them to expeditiously remove any controversial content, including content that is clearly not illegal, just to make sure that they do not become part of any controversy surrounding such content.

For instance, in February 2008, the ISP Imbera removed the “Mohammed caricatures” from pages belonging to one of their customers[3]. The removal was done on grounds that Imbera had a “user agreement” that banned users from posting controversial content on Imbera's servers.

Beyond the EU Directive on electronic commerce, there is no legal framework in Norway supporting Internet censorship. There is a voluntary child porn filter that is discussed below.

In 2007, the Data Crime Committee (Datakrimutvalget – committee appointed by the Government to review the penal code with respect to computer crime) discussed making blocking of illegal content (i.e. child pornography, gambling sites) mandated by law.[4] This idea was dismissed by the majority of the committee and supported by the minority. It was not enacted into law. In May 2011, blocking illegal content was against suggested by the Ministry of Culture. This proposed change to the law are currently (January 2012) still pending lawmakers' approval.

Case law

The police shall on demand be given subscriber information associated with a particular IP-address used by a subscriber of the ISP without a court order. This follows from a Supreme Court decision in 1999 (HR-1999-88-A - Rt-1999-1944). The case in 1999 involved a user suspected of distributing child pornography, but as a result of this ruling, the police now get this data on demand in all types of cases.

IFPI (record industry organisation) has demanded that the ISP Telenor blocks The Pirate Bay, which the Telenor has declined to do. In 2009, IFPI took this to the courts. However, on February 9th, 2010, the court decided in favour of Telenor[6]. In May 2011, the Ministry of Culture proposed a change to copyright law that would, if passed, open up for mandatory blocking of domains found to infringe copyright. These changes to the law are in January 2012 still pending lawmakers approval.


All Norwegian ISPs (AFAIK) operate a voluntary CSAADF (Child Sexual Abuse Anti Distribution Filter). The filter is simply a blacklist of DNS-addresses that is maintained and distributed by Kripos (the Norwegian police for organised crime, economical crime and other serious criminal issues). Each ISP implements this blacklist in its Domain Name System (DNS) servers by redirecting attempts to access blacklisted pages to a page with a warning message. For my ISP (Uninett) this is the warning page.

The filter is an unlegislated cooperation between the ISPs and Kripos, initiated in 2004. The list of filtered addresses is secret, but a list of supposed blocked addresses was posted to Wikileaks [7] in April 2009. The list on Wikileaks contains 3518 DNS-addresses.

In September 2008, Minister of Justice, Knut Storberget, sent a letter to all Norwegian ISPs stating that unless adoption of the voluntary filtering scheme became universal, he would seek a change in legislation that made the CSAADF filter mandatory.[8] In light of this interference by the minister, it may may be argued that Norway's CSAADF filter constitute a covert form of government censorship, under the guise of a “voluntary” filtering scheme.

There has been two proposals to extend the blocking scheme to other types of illegal content other type of content than pictures of child abuse. In 2007, this proposal was rejected by lawmakers. In 2011, the idea resurfaced in a Ministry of Culture proposal. This proposal has not yet been decided by lawmakers.

Illegal or harmful content

Currently, only supposed child pornography is filtered.

Both unregulated gambling and file sharing of copyrighted material is generally regarded as illegal in Norway, and from time to time there are vocal proposals from various pressure groups that Norway should also filter gambling and file sharing sites. As noted above in the “Case Law” section, IFPI has so far not been able to get a court's backing for this type of filtering.

Norwegian law also imposes other limitations on freedom of speech. It is a criminal offence to breech a duty of confidentiality for certain professionals such as priests and physicians, to reveal military secrets. There is a privacy provision in the Criminal Code (Straffeloven § 390) that says:

Med bøter eller fengsel inntil 3 måneder straffes den som krenker privatlivets fred ved å gi offentlig meddelelse om personlige eller huslige forhold.

Unofficial translation into English by me of the above text:

A fine or imprisonment up to 3 months may be imposed on someone that violates privacy by publicly communicating about personal or domestic circumstances.

Norway also has laws that lets victims of defamation and libel seek for satisfaction through the courts.

In addition, Norway has a law that make hate speech illegal[9] (Straffeloven § 135a), and we even have a law about blasphemy[10] (Straffeloven § 142).

Hate speech:

§ 135a. Den som forsettlig eller grovt uaktsomt offentlig setter frem en diskriminerende eller hatefull ytring, straffes med bøter eller fengsel inntil 3 år.

Unofficial translation into English by me of the above text:

§ 135a. Any person who wilfully or through gross negligence publicly put forward a discriminatory or hateful expression, is punishable by fines or imprisonment for up to 3 years.


§ 142. Den som i ord eller handling offentlig forhåner eller på en krenkende eller sårende måte viser ringeakt for nogen trosbekjennelse hvis utøvelse her i riket er tillatt eller noget lovlig her bestående religionssamfunds troslærdommer eller gudsdyrkelse, eller som medvirker hertil, straffes med bøter eller med hefte eller fengsel inntil 6 måneder.
Påtale finner bare sted når allmenne hensyn krever det.

Unofficial translation into English by me of the above text:

§ 142. Someone who in words or actions publicly insult or in an offensive or hurtful manner shows contempt for any legal creed or religion that is exercised in the realm, or a legal religious community's religious doctrines or worship, or that contribute hereto, is punishable with fines or imprisonment for up to 6 months.
Prosecution only takes place when public interest mandates it.

It should be noted that the blasphemy law has not been enforced since 1912. There are some elements that argue that Norway should enforce its blasphemy law by filtering material that mocks religion, etc., but these are very marginal voices.

Who initiates filtering/censorship?

According to a press release[11] when the child porn filter debuted in 2004, it was the result of an initiative of the Minister of Justice, Odd Einar Dørum.

As noted, the Minister of Justice, Knut Storberget, in 2008 took an active role in getting all ISPs to adopt the “voluntary” filtering by sending the ISPs a letter telling them – in effect – that unless they adopted the CSAADF filtering scheme voluntary, he would seek legislation change to make filtering mandatory.

Currently, the main lobby organisations calling for filtering, censorship, and extended powers for private operators to monitor Internet activity is representing the recording and film industry. Among the most active is TONO (Norway's collecting society for musicians), the Norway chapter of IFPI (International Federation of the Phonographic Industry), and the Norwegian society for film- and tv producers, In addition to participate in the general public debate about filtering and censorship, these organisations participate in government working groups and publish white papers with specific proposals for changes to be made in copyright and privacy laws.

In the general public debate about filtering, both politicians, special interest groups such as “Redd Barna” (Save the Children), religious leaders, etc. from time to time suggests that specific censorship is implemented, but these are less visible than the recording and film industry.


Ronald Deibert: Access controlled: the shaping of power, rights, and rule in cyberspace, MIT Press, 2010, p. 330.
http://wikileaks.org/… [cached copy].